<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <div id="box"></div>
    <!-- 直接使用 innerHTML 插入文本内容，存在 XSS 攻击的风险 -->
    <script>
        let box=document.getElementById('box')
        // let content='hello world'
        let content='<img src onerror="alert(11111111111111111)">'
        box.innerHTML = "<p>"+content+"</p>"
    </script>
</body>
</html>